remove user impersonation and service account cli (#1768)

* remove user impersonation and service account cli * update doc * remove user impersonation url query params * fix flaky test
2025-08-03 08:50:42 +02:00 · 2021-01-12 09:28:29 -07:00 · 2021-01-12 09:28:29 -07:00 · ab4a68f56f
commit ab4a68f56f
parent eadd8c2482
21 changed files with 258 additions and 831 deletions
--- a/internal/frontend/assets/html/dashboard.go.html
+++ b/internal/frontend/assets/html/dashboard.go.html
@ -136,37 +136,6 @@
                </label>
                {{end}}
                {{end}}
-
-                {{with .State}}
-                {{with .ImpersonateEmail}}
-                <label>
-                  <span>Impersonating Email</span>
-                  <input
-                    type="text"
-                    class="field"
-                    value="{{.}}"
-                    disabled
-                  />
-                </label>
-                {{end}}
-                {{range $i,$_:= .ImpersonateGroups}}
-                <label>
-                  {{if eq $i 0}}
-                  <span>Impersonating Group</span>
-                  {{else}}
-                  <span></span>
-                  {{end}}
-                  <input
-                    type="text"
-                    class="field"
-                    value="{{.}}"
-                    title="{{.}}"
-                    disabled
-                  />
-                </label>
-                {{end}}
-                {{end}}
-
              </fieldset>
            </section>
            <div class="flex">
@ -175,69 +144,6 @@
          </form>
        </div>
      </div>
-
-      {{if .EnableUserImpersonation}}
-      <div id="info-box">
-        <div class="card">
-          <div class="card-header">
-            <h2>Sign-in-as</h2>
-            <img
-              class="icon"
-              src="{{dataURL "/.pomerium/assets/img/supervised_user_circle-24px.svg"}}"
-              xmlns="http://www.w3.org/2000/svg"
-            />
-          </div>
-
-          <form method="POST" action="/.pomerium/admin/impersonate">
-            <input type="hidden" value="{{.RedirectURL}}" name="pomerium_redirect_uri">
-            <section>
-              <p class="message">
-                Administrators can temporarily impersonate another user.
-              </p>
-              {{if not .State.ImpersonateEmail}}
-              <fieldset>
-                <label>
-                  <span>Email</span>
-                  <input
-                    name="{{ .ImpersonateEmail }}"
-                    type="email"
-                    class="field"
-                    value=""
-                    placeholder="user@example.com"
-                  />
-                </label>
-                <label>
-                  <span>Group</span>
-                  <input
-                    name="{{ .ImpersonateGroups }}"
-                    type="text"
-                    class="field"
-                    value=""
-                    placeholder="engineering"
-                  />
-                </label>
-              </fieldset>
-              {{end}}
-            </section>
-            <div class="flex">
-              {{ .csrfField }}
-              <button
-                name="{{ .ImpersonateAction }}"
-                value="set"
-                class="button full"
-                type="submit"
-              >
-                {{if .State.ImpersonateEmail}}
-                  Unimpersonate
-                {{else}}
-                  Impersonate
-                {{end}}
-              </button>
-            </div>
-          </form>
-        </div>
-      </div>
-      {{end}}
    </div>
  </body>
 </html>
--- a/internal/frontend/statik/statik.go
+++ b/internal/frontend/statik/statik.go
--- a/internal/sessions/state.go
+++ b/internal/sessions/state.go
@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"strings"
 	"time"

 	"gopkg.in/square/go-jose.v2/jwt"
@ -63,10 +62,6 @@ type State struct {
 	// Azure returns OID which should be used instead of subject.
 	OID string `json:"oid,omitempty"`

-	// Impersonate-able fields
-	ImpersonateEmail  string   `json:"impersonate_email,omitempty"`
-	ImpersonateGroups []string `json:"impersonate_groups,omitempty"`
-
 	// Programmatic whether this state is used for machine-to-machine
 	// programatic access.
 	Programmatic bool `json:"programatic"`
@ -88,11 +83,6 @@ func (s *State) IsExpired() bool {
 	return s.Expiry != nil && timeNow().After(s.Expiry.Time())
 }

-// Impersonating returns if the request is impersonating.
-func (s *State) Impersonating() bool {
-	return s.ImpersonateEmail != "" || len(s.ImpersonateGroups) != 0
-}
-
 // UserID returns the corresponding user ID for a session.
 func (s *State) UserID(provider string) string {
 	if s.OID != "" {
@ -101,16 +91,6 @@ func (s *State) UserID(provider string) string {
 	return databroker.GetUserID(provider, s.Subject)
 }

-// SetImpersonation sets impersonation user and groups.
-func (s *State) SetImpersonation(email, groups string) {
-	s.ImpersonateEmail = email
-	if groups == "" {
-		s.ImpersonateGroups = nil
-	} else {
-		s.ImpersonateGroups = strings.Split(groups, ",")
-	}
-}
-
 // UnmarshalJSON returns a State struct from JSON. Additionally munges
 // a user's session by using by setting `user` claim to `sub` if empty.
 func (s *State) UnmarshalJSON(data []byte) error {
--- a/internal/sessions/state_test.go
+++ b/internal/sessions/state_test.go
@ -2,7 +2,6 @@ package sessions

 import (
 	"encoding/json"
-	"strings"
 	"testing"
 	"time"

@ -11,32 +10,6 @@ import (
 	"gopkg.in/square/go-jose.v2/jwt"
 )

-func TestState_Impersonating(t *testing.T) {
-	t.Parallel()
-	tests := []struct {
-		name               string
-		ImpersonateEmail   string
-		ImpersonateGroups  []string
-		want               bool
-		wantResponseEmail  string
-		wantResponseGroups string
-	}{
-		{"impersonating", "impersonating@user.com", []string{"impersonating-group"}, true, "impersonating@user.com", "impersonating-group"},
-		{"not impersonating", "", []string{}, false, "actual@user.com", "actual-group"},
-		{"impersonating user only", "impersonating@user.com", []string{}, true, "impersonating@user.com", "actual-group"},
-		{"impersonating group only", "", []string{"impersonating-group"}, true, "actual@user.com", "impersonating-group"},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			s := &State{}
-			s.SetImpersonation(tt.ImpersonateEmail, strings.Join(tt.ImpersonateGroups, ","))
-			if got := s.Impersonating(); got != tt.want {
-				t.Errorf("State.Impersonating() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
 func TestState_IsExpired(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
--- a/internal/urlutil/query_params.go
+++ b/internal/urlutil/query_params.go
@ -4,17 +4,14 @@ package urlutil
 // services over HTTP calls and redirects. They are typically used in
 // conjunction with a HMAC to ensure authenticity.
 const (
-	QueryCallbackURI       = "pomerium_callback_uri"
-	QueryImpersonateEmail  = "pomerium_impersonate_email"
-	QueryImpersonateGroups = "pomerium_impersonate_groups"
-	QueryImpersonateAction = "pomerium_impersonate_action"
-	QueryIsProgrammatic    = "pomerium_programmatic"
-	QueryForwardAuth       = "pomerium_forward_auth"
-	QueryPomeriumJWT       = "pomerium_jwt"
-	QuerySession           = "pomerium_session"
-	QuerySessionEncrypted  = "pomerium_session_encrypted"
-	QueryRedirectURI       = "pomerium_redirect_uri"
-	QueryForwardAuthURI    = "uri"
+	QueryCallbackURI      = "pomerium_callback_uri"
+	QueryIsProgrammatic   = "pomerium_programmatic"
+	QueryForwardAuth      = "pomerium_forward_auth"
+	QueryPomeriumJWT      = "pomerium_jwt"
+	QuerySession          = "pomerium_session"
+	QuerySessionEncrypted = "pomerium_session_encrypted"
+	QueryRedirectURI      = "pomerium_redirect_uri"
+	QueryForwardAuthURI   = "uri"
 )

 // URL signature based query params used for verifying the authenticity of a URL.